Office of Audit
IMPROVEMENTS ARE NEEDED TO STRENGTHEN ELECTRONIC AUTHENTICATION PROCESS CONTROLS
Final Report issued on September 7, 2016
Highlights of Reference Number: 2016-20-082 to the Internal Revenue Service Chief Information Officer.
IMPACT ON TAXPAYERS
The risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering online tools to taxpayers. The IRS estimated that unauthorized accesses may have occurred on an estimated 724,000 taxpayer accounts as a result of fraudulent activity on its online Get Transcript application. The consequences of unauthorized accesses include expanding the taxpayers’ preexisting identity theft issues and potential delays in tax return processing while identity theft issues are resolved.
WHY TIGTA DID THE AUDIT
In May 2015, the IRS discovered that fraudsters, using personal information stolen from third parties, had been able to perpetrate an attack on the online Get Transcript application by successfully authenticating via the eAuthentication process. The overall objective of this review was to evaluate the appropriateness of the IRS’s response to the Get Transcript incident and the effectiveness of the proposed solution to address the authentication weakness which allowed the incident to occur.
WHAT TIGTA FOUND
The IRS has undertaken a number of steps to improve systems and provide for more secure authentication, including strengthening application and network controls. However, additional actions could further improve security over the eAuthentication process.
Due to poor communication between the IRS and its contractor, the IRS did not have complete knowledge of what was being screened at the Integrated Enterprise Portal, and thus it was unaware of the weaknesses related to detecting automated attacks or which tools it might need to address them. The IRS did not clearly specify which parties, including IRS divisions and contractors, were responsible to detect and prevent such automated attacks.
At the time of the Get Transcript incident, audit log reports were not being adequately monitored. For example, in July 2014, one user attempted to authenticate 902 times within one 24-hour period, which far exceeded the unusual activity trigger. Additionally, the IRS did not have a routine way to correlate audit log information across different repositories. During the audit period, the IRS was able to produce the required reports, but they were just lists of transactions and did not contain summary information that could be used to identify trends. Additionally, some useful transaction information was not captured in eAuthentication audit logs. The IRS also did not provide responsible staff with the tools and training needed to monitor and analyze large amounts of audit log data.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Information Officer: 1) clarify IRS and contractor responsibilities related to preventing automated attacks; 2) monitor results of controls being put in place to prevent/detect automated attacks; 3) ensure that management implements IRS policy to monitor audit trails; 4) provide security specialists with adequate tools and training; 5) implement enhancements to audit log analysis; 6) compile periodic summary data of eAuthentication volume and unusual activity trigger event transactions; and 7) ensure that audit trails indicate which target application the user intended to access after authenticating.
The IRS agreed with our recommendations. The IRS stated that it has completed four of the seven recommendations. In addition, the IRS plans to provide security specialists with training, produce monthly reports for unusual activity, and ensure that audit trails indicate the target application.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta